Ransomware Recovery: First 24 Hours
Immediately disconnect affected machines from the network. Do not power them off, do not reboot, and do not pay. Call your MSP or incident response provider. Preserve logs and memory state for forensics.
Should we pay the ransom?
No, except in rare cases with no recovery path and lives at stake. Paying funds future attacks, does not guarantee data return, and can violate Canadian sanctions if the actor is on a watch list.
Do we have to report a ransomware attack?
If personal data is affected, yes. PIPEDA requires notification of a real risk of significant harm. Some provinces and industries have additional reporting requirements. Cyber insurance carriers also typically require immediate notice.
How long does ransomware recovery take?
With immutable backups, tested restore procedures, and a planned incident response, most SMBs are operational within 24 to 72 hours. Without those, recovery can take weeks or fail entirely.
Will cyber insurance cover the loss?
Most cyber policies cover incident response, forensics, legal, notification, and business interruption. Ransom payment coverage is being limited or excluded. Read your policy carefully and review with your broker annually.
Quick answers.
What should we do first if we are hit by ransomware?
Immediately disconnect affected machines from the network. Do not power them off, do not reboot, and do not pay. Call your MSP or incident response provider. Preserve logs and memory state for forensics.
Should we pay the ransom?
No, except in rare cases with no recovery path and lives at stake. Paying funds future attacks, does not guarantee data return, and can violate Canadian sanctions if the actor is on a watch list.
Do we have to report a ransomware attack?
If personal data is affected, yes. PIPEDA requires notification of a real risk of significant harm. Some provinces and industries have additional reporting requirements. Cyber insurance carriers also typically require immediate notice.
How long does ransomware recovery take?
With immutable backups, tested restore procedures, and a planned incident response, most SMBs are operational within 24 to 72 hours. Without those, recovery can take weeks or fail entirely.
Will cyber insurance cover the loss?
Most cyber policies cover incident response, forensics, legal, notification, and business interruption. Ransom payment coverage is being limited or excluded. Read your policy carefully and review with your broker annually.
Have a specific situation in mind?
Book a free 30-minute scoping call with a Northstar IT engineer. We will walk through your environment, your questions, and what good looks like for your team.
Get a Free Assessment More guides